The Cover PagesThe OASIS Cover Pages: The Online Resource for Markup Language Technologies
Advanced Search
Site Map
CP RSS Channel
Contact Us
Sponsoring CP
About Our Sponsors

Cover Stories
Articles & Papers
Press Releases

XML Query

XML Applications
General Apps
Government Apps
Academic Apps

Technology and Society
Tech Topics
Related Standards
Last modified: July 26, 2010
XML Daily Newslink. Monday, 26 July 2010

A Cover Pages Publication
Provided by OASIS and Sponsor Members
Edited by Robin Cover

This issue of XML Daily Newslink is sponsored by:
Microsoft Corporation

IETF Internet Draft: A SASL Mechanism for OAuth
William Mills, Tim Showalter, Hannes Tschofenig; IETF First Public Internet Draft

Members of the IETF Common Authentication Technology Next Generation (KITTEN) Working Group have published an initial level -00 Internet Draft on A SASL Mechanism for OAuth. The OAuth 2.0 Protocol specification defines the use of OAuth over HTTP or HTTP over TLS as defined by RFC 2818). .. OAuth provides a method for clients to access a protected resource on behalf of a resource owner. Before a client can access a protected resource, it must first obtain authorization from the resource owner, then exchange the access grant for an access token (representing the grant's scope, duration, and other attributes). The client accesses the protected resource by presenting the access token to the resource server.

The new Internet Draft "defines the use of OAuth over SASL. Simple Authentication and Security Layer (SASL) is a framework for providing authentication and data security services in connection-oriented protocols via replaceable mechanisms. The specification enables OAuth usage for non-HTTP-based application protocols. A future version of this document will describe the integration into the Generic Security Services Application Program Interface (GSS-APIO).

Details: The initial client response is formatted in the style of an HTTP request, and a GET line is included for the purposes of extensibility... The server validates the response as per the OAuth specification. If the protected resource requires a signed request (using one of the available signature method), the URL for the resource being authenticated is reconstructed per the OAuth specification from the HTTP style request passed by the client. The server responds to a successful OAuth authentication by completing the SASL negotiation. The OAuth token must carry the user id to be authenticated and the server must use the user in the OAuth credential as the user being authenticated... The server responds to failed authentication by sending discovery information and then failing the authentication...

OAuth supports authorization using signatures, which requires that both client and server construct the string to be signed. OAuth is designed for authentication/authorization to use a resource. SASL is designed for user authentication, and has no facility for being more specific. In this mechanism we require an HTTP style format specifically to support signature type authentication, but this is extremely limited. The HTTP style request is limited to a path of '/', because this mechanism is authenticating the user to the server. This mechanism is in the SASL model, but is designed so that no changes are needed if there is a revision of SASL which supports more specific resource authorization, e.g. IMAP access to a specific folder or FTP access limited to a specific directory..."

See also: the IETF Common Authentication Technology Next Generation WG

OGC Forms Open GeoSMS Standards Working Group (SWG)
Staff, Open Geospatial Consortium Announcement

The Open Geospatial Consortium (OGC) has announced "the formation of an Open GeoSMS Standards Working Group (SWG). The Open GeoSMS SWG will advance the OGC Candidate Open GeoSMS Standard as an OGC adopted standard. The GeoSMS candidate standard is currently an OGC Discussion Paper. The scope of the candidate standard is to define the exchangeable SMS format to exchange GPS information for different Location Based Service (LBS) devices or applications. The SWG will ensure that the standard is consistent with the OGC baseline and business plan.

The candidate Open GeoSMS standard defines a short messaging service (SMS) encoding to exchange lightweight location information between different mobile devices or applications. Currently such devices or applications are often unable to share location information with each other because of technical incompatibilities between systems used by different device and platform vendors. This causes problems for users and imposes obstacles to industry growth.

The GeoSMS encoding for location is compatible with other OGC standards, such as those for sensor webs and earth imaging. It is also compatible with standards such as the OASIS Common Alerting Protocol (CAP) standard and the IETF RFC Presence Information Data Format Location Object (PIDF-LO). The OGC works with OASIS, IETF and many other standards development organizations to make geospatial information and services an integral and fluid part of the world's information infrastructure.

The reason for proposing Open GeoSMS is because Location Based Service (LBS) devices or applications of different brands or from different vendors are often unable to share LBS information with each other and this causes a potential barrier to LBS industry development. In order to solve this problem in a simple way and without causing too many effort or cost, SMS is the best choice. The convenience of SMS is that user only needs to send SMS in text which follows the Open GeoSMS standard format, and then it's ready to be used. There is no need to change the infrastructure or existing systems. This means they can save money, time, and human resource when using Open GeoSMS. Therefore, two different types of machine from two different companies running in two different systems can communicate using the Open GeoSMS specification..."

See also: the Geography Markup Language (GML)

Public Beta for Drupal Gardens' Hosted Version of Open Source CMS
Paul Krill, InfoWorld

Drupal Gardens, the planned cloud version of the open source Drupal content management system, has entered a public beta stage, thus making it widely available for tryouts, said Drupal founder Dries Buytaert. The announcement was made at the O'Reilly Open Source Convention (OSCON) in Portland, Oregon.

The technology previously had been available through a controlled, private beta program... Drupal 7, the next major version of the CMS, still is in development, with developers still needing to fix about 44 critical bugs before it can be released... Drupal 7 will add support for the Microsoft SQL Server and Oracle databases, said Buytaert. Support of these databases should make it easier for large organizations to adopt Drupal...

Also at OSCON, during a keynote presentation, Jean Paoli cited Microsoft's launch of a website devoted to conversation about cloud interoperability. He cited four key interoperability elements of a cloud platform: data portability, standards, ease of migration, and deployment and developer choice.

Thursday's brief series of keynote presentations at OSCON also featured David Recordon, senior open programs manager at Facebook, who suggested possible additions to the popular LAMP (Linux Apache MySQL PHP/Perl Python) technology stack..."

See also: the Drupal Gardens web site

Available Authentication Mechanisms for OData Services and Clients
Dilip Krishnan, InfoQueue

The WCF Data Services Team members have recently been presenting a series on the available authentication mechanisms for client/OData service authentication. OData is an implementation of the ATOMPub protocol with extensions to query and update ATOM resources.

From the OData web site: "The Open Data Protocol (OData) is a Web protocol for querying and updating data that provides a way to unlock your data and free it from silos that exist in applications today. OData does this by applying and building upon Web technologies such as HTTP, Atom Publishing Protocol (AtomPub) and JSON to provide access to information from a variety of applications, services, and stores. The protocol emerged from experiences implementing AtomPub clients and servers in a variety of products over the past several years. OData is being used to expose and access information from a variety of sources including, but not limited to, relational databases, file systems, content management systems and traditional Web sites.

OData is consistent with the way the Web works: it makes a deep commitment to URIs for resource identification and commits to an HTTP-based, uniform interface for interacting with those resources (just like the Web). This commitment to core Web principles allows OData to enable a new level of data integration and interoperability across a broad range of clients, servers, services, and tools. OData is released under the Open Specification Promise to allow anyone to freely interoperate with OData implementations..."

Alex James, Program Manager on the Data Services Team provides a series of articles, in an attempt to field authentication related questions. The answer lies in specific usage scenarios, each of which addresses a different type of challenge. Alex frames the answer as a set of questions that provide insights into the appropriate authentication option, e.g., (1) How does an OData Consumer logon to an OData Producer? (2) How does a WCF Data Service impersonate the OData Consumer so database queries run under context of the consumer? (3) How do you integrate an OData Consumer connecting with an OAuth aware OData Producer? (4) How do you federate a corporate domain with an OData Producer hosted in the cloud, so apps running under a corporate account can access the OData Producer seamlessly? [...]

See also: the Authentication Series

W3C Workshop Call for Participation 'The Multilingual Web: Where Are We?'
Staff, Workshop Announcement

"W3C is organizing a Workshop: The Multilingual Web - Where Are We? to take place 26-27 October 2010 in Madrid, Spain. Workshop participants will survey and introduce currently available best practices and standards that help content creators, localizers, language technology developers, browser makers, and others meet the challenges of the multilingual Web.

The Workshop also provides opportunities for networking that span the various communities involved in enabling the multilingual Web. Participation is free and open to anyone. However, space is limited and participants must send an expression of interest to the program committee. People wishing to speak should also submit a presentation outline as soon as possible.

This is the first of four Workshops being planned by W3C over the next two years as part of the MultilingualWeb European Project. The first Workshop is hosted by the Universidad Politécnica de Madrid.

The workshop is expected to attract a broad set of stakeholders, including managers and practitioners working in the areas of content development, design, localization, and production management; developers of tools such as translation tools, content management systems, editors, etc; researchers and developers working with language technology and resources; browser implementors; standards and industry body representatives; and many more. The interchange of information and perspectives from this diverse group is expected to provide a more thorough picture of the existing landscape for multilingualism on the Web...."

See also: the W3C Internationalization (I18n) Activity

An Architecture for Location and Location Privacy in Internet Applications
Richard Barnes, Matt Lepinski, Alissa Cooper (et al, eds), IETF Internet Draft

On July 09, 2010 the Internet Engineering Steering Group (IESG) issued a Last Call review for An Architecture for Location and Location Privacy in Internet Applications. IESG has received a request from the IETF Geographic Location/Privacy WG (GEOPRIV) to consider this specification as an IETF BCP. The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the IETF mailing list by 2010-07-23.

Document abstract: "Location-based services (such as navigation applications, emergency services, management of equipment in the field) need geographic location information about Internet hosts, their users, and other related entities. These applications need to securely gather and transfer location information for location services, and at the same time protect the privacy of the individuals involved. This document describes an architecture for privacy-preserving location-based services in the Internet, focusing on authorization, security, and privacy requirements for the data formats and protocols used by these services."

Privacy: "While location-based services raise some privacy concerns that are common to all forms of personal information, many of them are heightened and others are uniquely applicable in the context of location information... The Geopriv model departs from this paradigm for privacy protection. As explained above, location information can be uniquely sensitive. And as siloed location-based services emerge and proliferate, they increasingly require standardized protocols for communicating location information between services and entities. Recognizing both of these dynamics, Geopriv gives data subjects the ability to express their choices with respect to their own location information, rather than allowing the recipients of the information to define how it will be used. The combination of heightened privacy risk and the need for standardization compelled the Geopriv designers to shift away from the prevailing Internet privacy model, instead empowering users to express their privacy preferences about the use of their location information...

By binding privacy rules to location information, however, Geopriv provides valuable information about users' privacy preferences, so that non-technical forces such as legal contracts, governmental consumer protection authorities, and marketplace feedback can better enforce those privacy preferences. If a commercial recipient of location information, for example, violates the location rules bound to the information, the recipient can in a growing number of countries be charged with violating consumer or data protection laws..."

See also: the IETF Geographic Location/Privacy (GEOPRIV) Working Group Status Pages

XML Pioneer Pitches Functional Programming for Concurrency
Paul Krill, InfoWorld

Rather than using threads, functional programming presents the superior approach for developers who must program for newfangled multicore processors, XML co-inventor Tim Bray stressed at a technical conference on Friday. Programming for multicore chips requires that developers deal with concurrency, which brings its own issues, Bray said in a presentation at the O'Reilly Open Source Convention (OSCON 2010) conference in Portland, Oregon. Multicore processors have become popular as Moore's Law pertaining to increased single-core processor performance has run out of steam...

Historically, it has been thought that the way to program for concurrency is through threading; but programming with threads, which offer multiple access to shared, mutable data, is something that is not understood by application programmers...concurrency is hard... it involves a lot of problems that are very difficult to think about and reason about and understand... But functional programming, leveraged in languages such as Erlang and Clojure, offers a way to tackle concurrency.

'The idea of functional programming is that data is immutable. You can't share data...if data cannot be shared, then developers do not have to worry about more than one person changing it at once... immutable data allows for use of pointers instead of sending the real data...

Erlang has no classes, objects, or variables, and its file handling is miserable, but there is still a lot to love about it'..."

Jailbreaking Officially Granted DMCA Exemption
Dan Moren, NetworkWorld

"If you jailbreak your iPhone to add third-party software, you can do so with the comfort of knowing you aren't violating copyright laws, after a federal ruling came down on 2010-07-26. The U.S. Librarian of Congress ruled on Monday that consumers who circumvent digital protections on smartphones to install unapproved applications—a practice often colloquially known as 'jailbreaking'--for noninfringing reasons should be exempted from prosecution under the anti- circumvention section of the Digital Millennium Copyright Act (DMCA).

The proposed exemption on jailbreaking was first put forth in 2008 by the Electronic Freedom Foundation, which argued that users should be allowed to jailbreak their phones to install, for personal use, legally acquired third-party software. Apple, for its part, argued against the exemption in an extensive filing contending that an exemption for jailbreaking would lead to more widespread piracy and additional support costs for the company. Two software developers, the Mozilla Corporation and Skype Communications, filed documents in support of the EFF's argument...

It's worth noting that the jailbreak ruling does not force Apple or other handset makers to remove copy protection from their software. Rather, those users who do choose to circumvent the protections will not be subject to criminal prosecution for the act of circumvention.

In theory, the exemption could legitimize the third parties who are already creating software that does not require Apple's approval, which in turn may open the door for established companies such as Mozilla to create software that Apple would otherwise not approve — an iPhone-native version of the Firefox Web browser, for example..."

See also: the Statement of the Librarian of Congress Relating to Section 1201 Rulemaking


XML Daily Newslink and Cover Pages sponsored by:

IBM Corporation
ISIS Papyrus
Microsoft Corporation
Oracle Corporation

XML Daily Newslink:
Newsletter Archive:
Newsletter subscribe:
Newsletter unsubscribe:
Newsletter help:
Cover Pages:

Hosted By
OASIS - Organization for the Advancement of Structured Information Standards

Sponsored By

IBM Corporation
ISIS Papyrus
Microsoft Corporation
Oracle Corporation


XML Daily Newslink
Receive daily news updates from Managing Editor, Robin Cover.

 Newsletter Subscription
 Newsletter Archives
Globe Image

Document URI:  —  Legal stuff
Robin Cover, Editor: